Public Key Authentication for Reflection for Secure IT UNIX Client and OpenSSH Server

  • 7021939
  • 24-Feb-2005
  • 02-Mar-2018

Environment

Reflection for Secure IT UNIX Client version 7.0 or higher
OpenSSH Server

Situation

This technical note describes the steps you must follow to use public key authentication when connecting from a Reflection SSH UNIX Client to an OpenSSH server. You will use the key generation utility to generate a key pair. You will upload the public key to the server and then convert the public key to the proper format. Troubleshooting tips are also included.

Resolution

Public Key Authentication Overview

Public key authentication is one way a server can authenticate a user. It requires a private and public key pair; the private key is located on the client, and the public key must be uploaded to the OpenSSH server and converted to the proper format. In addition to the keys, specific files must exist in the user's .ssh2 directory on the client and in the user's .ssh directory on the server. If the files don’t exist, you must create them.

The process of generating keys, converting keys, and creating files is outlined below.

Using the Key Generation Utility

Use the Reflection SSH key generation utility to generate a key pair.

  1. Open a terminal window on the UNIX system with the Reflection SSH client.
  2. Use the following command to create a key pair:
ssh-keygen

Note: To get a list of available switches, use the command ssh-keygen -h, or check the man pages for more details.

The key generation utility will run for a few moments. Once the utility has generated the key pair, you are prompted to enter a passphrase and then confirm it. If you want to create a passphrase-less key, press the Enter key twice without entering passphrase.

After entering a passphrase, the location and names of the private and public keys are displayed. For example:

Private key saved to /home/username/.ssh2/id_rsa_2048_a
Public key saved to /home/username/.ssh2/id_rsa_2048_a.pub

Creating the identification file on the client

The identification file contains pointers to the private key files that may be used for public key authentication. Follow these steps to create the identification file for the private key on the client:

  1. Change directories to the .ssh2 directory in your home directory.
  2. Use the following command to create a file named identification with the IdKey information as its contents:
echo IdKey <keyname> >> identification

For example:

echo IdKey id_rsa_2048_a >> identification

This command writes the IdKey key word and the name of the file containing the private key to the identification file. If the identification file does not exist, it will be created.

Uploading the Public Key to the Server

Once the key pair is created, upload the public key to the server. When transferring the key, be sure to use binary mode.

  1. Use the command sftp user@host to connect to the OpenSSH server using password authentication (the default).
  2. Change directories to the .ssh directory in your home directory.
cd .ssh

Note: If the .ssh directory does not exist in the /$HOME directory, create it.

  1. Transfer the public key file you just created (using the Reflection SSH UNIX Client) to the OpenSSH Server by using this command:
put <keyname>.pub

Replace <keyname>.pub with the name of the public key you created, for example:

put id_dsa_2048_a.pub
  1. Use the quit command to close the sftp connection.

Converting the public key

The public key format supported by OpenSSH servers is OpenSSH, which is not compatible with Reflection's default public key format.

Now that you have uploaded the public key to the OpenSSH server, you must convert the public key format from SecSH (the format generated by the Reflection SSH client) to OpenSSH (the format supported by OpenSSH servers) and write it to the authorized_keys file. To do this, follow these steps:

  1. Use the command ssh user@host to establish a terminal session using password authentication to connect to the OpenSSH server.
  2. Change to the .ssh directory in your home directory.
cd .ssh
  1. Use the following command to convert the key to OpenSSH format and append the key to the authorized_keys file. Replace <keyname>.pub with the name of your public key:
ssh-keygen –i -f <keyname>.pub >> authorized_keys

For example:

ssh-keygen –i –f id_dsa_2048_a.pub >> authorized_keys

Note: Use the >> symbol to append to the authorized_keys file. The > symbol will overwrite the file contents. If the authorized_keys file does not exist, it will be created.

Command switches used:

    -i
    Convert IETF SecSH to OpenSSH key file
    -f filename
    Filename of the key file

You should now be able to connect with SSH, SFTP, or SCP from the UNIX system running the client to the UNIX system running the server without being prompted for a password.

Troubleshooting

If you have trouble connecting, check the troubleshooting suggestions listed below.

Setting server permissions

Verify that the file permissions on the server are configured properly. Setting the $HOME/.ssh directory to 744 and the authorized_keys file to 600 will allow key authentication to work. For more information about permissions, see KB 7021756: Understanding UNIX and NFS Permissions.

Verify that public key authentication is enabled

On the OpenSSH server:

Verify that the server configuration file, sshd_config, includes the following entries:

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

Verify that the public key was uploaded and converted properly

The public key should be uploaded to the user's .ssh directory on the OpenSSH server. Verify that the public key was converted into the authorized_keys file. The authorized_keys file should have an entry similar to the following:

ssh-dssAAAB3NzaC1kc3AABPQw3crMJVmbPycSrB2EMkg3UGdszKZZFugHO34u+oExY4G6

Additional Information

Legacy KB ID

This document was originally published as Attachmate Technical Note 1932.